-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[MDEV-33479] Extend Unix socket authentication to support authentication_string #2671
base: 11.5
Are you sure you want to change the base?
Conversation
|
While the PR is to port exact same behavior and change from MySQL, we do have a concern about the expected behavior and possible security risk. With this change, both OS user that matches the DB user name and OS user that matches the authentication string will be allowed to use socket connection.
To solve above issue, we could consider only allowing
Please let me know about your opinion and if you prefer to keep the same behavior as MySQL or introduce above limitation. |
Two builds were failing but it doesn't seem to be related to my commit:
|
I would say that it's illogical that after create user 'admin' identified via unix_socket as 'root'; both create user 'admin' identified via unix_socket as 'root' or unix_socket as 'admin'; where the last |
@vuvova Thank you Sergei for your quick response! That makes sense! I'll update the PR correspondingly. |
please, don't forget to write tests for that. Normally this |
f9d1660
to
ff211d4
Compare
@vuvova Updated the commit and PR description. Please see the different cases in the new MTR test. |
604ad1d
to
31b1c96
Compare
7818d7a
to
b82932d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, added a minor comment. I will defer to @vuvova for final review as he commented on this previously (or someone else can review). I'll also create a Jira for this now.
plugin/auth_socket/auth_socket.c
Outdated
@@ -146,7 +152,7 @@ maria_declare_plugin(auth_socket) | |||
PLUGIN_LICENSE_GPL, | |||
NULL, | |||
NULL, | |||
0x0100, | |||
0x0101, | |||
NULL, | |||
NULL, | |||
"1.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really minor thing, but with the hex version bump, this should probably become "1.01" too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And the string version should match too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for reviewing and pointing out the version string mismatch! I overlooked it as MySQL does not have that string. The version string seems can be auto-generated by the hex 0x0101
which is parsed as version 1.1
? (I'm not sure why we keep two types of version though)
I saw the version string is eventually populated into PLUGIN_AUTH_VERSION
in INFORMATION_SCHEMA.PLUGINS
, and the hex is affecting PLUGIN_VERSION
column.
PLUGIN_NAME PLUGIN_VERSION PLUGIN_AUTHOR PLUGIN_MATURITY PLUGIN_AUTH_VERSION
unix_socket 1.1 Sergei Golubchik Stable 1.1
I've updated them to match in lasted commit and rebased on 11.5 branch. Thank you!
Created MDEV-33479 to track this. |
Before this change the unix socket auth plugin returned true only when the OS socket user id matches the MariaDB user name. The authentication string was ignored. Now if an authentication string is defined with in `unix_socket` authentication rule, then the authentication string will be used to compare with the socket's user name, and the plugin will return a positive if matching. Make the plugin to fill in the @@external_user variable. This change is similar to MySQL commit of mysql/mysql-server@6ddbc58e. However there's one difference with above commit: - For MySQL, both Unix user matches DB user name and Unix user matches the authentication string will be allowed to connect. - For MariaDB, we only allows the Unix user matches the authentication string to connect, if the authentication string is defined. This is because allowing both Unix user names has risks and couldn't handle the case that a customer only wants to allow one single Unix user to connect which doesn't matches the DB user name. If DB user is created with multiple unix_socket options for example: `create user A identified via unix_socket as 'B' or unix_socket as 'C';` Then both Unix user of B and C are accepted. Existing MTR test of `plugins.unix_socket` is not impacted. Also add a new MTR test to verify authentication with authentication string. See the MTR test cases for supported/unsupported cases. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
b82932d
to
ef8e8d1
Compare
Description
Before this change the unix socket auth plugin returned true only when the OS socket user id matches the MariaDB user name.
The authentication string was ignored.
Now if an authentication string is defined with in
unix_socket
authentication rule, then the authentication string will be used to compare with the socket's user name, and the plugin will return a positive if matching.Make the plugin to fill in the @@external_user variable.
This change is similar to MySQL commit of mysql/mysql-server@6ddbc58e.
However there's one difference with above commit:
This is because allowing both OS user names has risks and couldn't handle the case that a customer only wants to allow one single OS user to connect which doesn't matches the DB user name.
If DB user is created with multiple unix_socket options for example:
create user A identified via unix_socket as 'B' or unix_socket as 'C';
Then both Unix user of B and C are accepted.
How can this PR be tested?
Existing MTR test of
plugins.unix_socket
is not impacted.Also add a new MTR test to verify authentication with authentication string. See the MTR test cases for supported/unsupported cases.
Basing the PR against the correct MariaDB version
Backward compatibility
This is a new feature to make use of authentication string and should not affect backwards compatibility.
Copyright
All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.